WebApp Sec mailing list archives
RE: Dropping connection instead of returning 400
From: Michael Silk <michaelsilk () gmail com>
Date: Fri, 4 Mar 2005 09:56:09 +1100
Christopher, It seems like such a trivial measure that I don't think breaking the spec is worth it. You seem to be concerned about the information returned... well just return less. Don't 'break the spec' for something so trivial. Like the comments on your blog say, bandwidth is a silly reason; and you can simply configure the server to not display the OS, or give a fake OS if that makes you feel more comfortable. Breaking the spec is a bad idea, IMO. -- Michael
-----Original Message----- From: christopher () baus net [mailto:christopher () baus net] Sent: Wednesday, 2 March 2005 4:00 PM To: webappsec () securityfocus com Subject: Dropping connection instead of returning 400 I have an application proxy "under my pillow" so to speak. I've built it from the ground up over the past couple years with security in mind. It has been a long and tedious task, but I think my efforts are finally starting to pay off. One thing that keeps coming back to me is 400 Bad Request handling. It is now my opinion that security proxies should just drop connection when faced with traffic they refuse to handle. I put some thoughts on this on my blog here: http://www.baus.net/400-bad-request Which cause one client developer to call me a non-compliant wanker here: http://www.mackmo.com/nick/blog/java/?permalink=Please_send_40 0_Bad_Request_and_.txt I then followed up with the general thought that I'm willing to be non-compliant in the name of security: http://www.baus.net/breaking-the-spec-in-the-name-of-security So what do you think? Is security worth non-compliance with the HTTP spec? Christopher Baus ======== Implementing an HTTP proxy? Consider a fast, secure alternative http://www.baus.net/
Current thread:
- Dropping connection instead of returning 400 christopher (Mar 03)
- Re: Dropping connection instead of returning 400 Mariusz Pękala (Mar 06)
- Re: Dropping connection instead of returning 400 Michel Arboi (Mar 06)
- <Possible follow-ups>
- RE: Dropping connection instead of returning 400 Michael Silk (Mar 06)
- RE: Dropping connection instead of returning 400 christopher (Mar 06)
- Re: Dropping connection instead of returning 400 Devdas Bhagat (Mar 09)
- Re: Dropping connection instead of returning 400 Garth Somerville (Mar 06)